package com.dddpeter.app.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Autowired
    private JwtAuthenticationFilter jwtAuthenticationFilter;

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .csrf().disable()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .authorizeRequests()
                .antMatchers("/api/auth/**").permitAll()
                .antMatchers("/api/health").permitAll()
                .antMatchers("/api/").permitAll()
                .antMatchers("/assets/**").permitAll()
                .antMatchers("/", "/about", "/login", "/admin", "/admin/**").permitAll()
                .antMatchers("/*.html", "/*.js", "/*.css", "/*.png", "/*.jpg", "/*.ico").permitAll()
                // 文章查询接口无需认证（GET 请求）
                .antMatchers(org.springframework.http.HttpMethod.GET, 
                    "/api/articles",
                    "/api/articles/published",
                    "/api/articles/page",
                    "/api/articles/published/page",
                    "/api/articles/published/page/stats",
                    "/api/articles/search",
                    "/api/articles/search/page",
                    "/api/articles/category/page",
                    "/api/articles/category/page/stats",
                    "/api/articles/categories/page",
                    "/api/articles/stats",
                    "/api/articles/*").permitAll()
                // 字典查询接口无需认证（GET 请求）
                .antMatchers(org.springframework.http.HttpMethod.GET, 
                    "/api/dict/categories",
                    "/api/dict/types",
                    "/api/dict/types/*",
                    "/api/dict/data",
                    "/api/dict/data/*",
                    "/api/dict/data/type/*").permitAll()
                // 用户查询接口无需认证（GET 请求）- 用于显示文章作者信息
                .antMatchers(org.springframework.http.HttpMethod.GET, 
                    "/api/users",
                    "/api/users/*").permitAll()
                // 评论相关接口无需认证（允许匿名评论和点赞）
                .antMatchers("/api/comments/**").permitAll()
                // 其他字典操作需要认证（POST、PUT、DELETE）
                .antMatchers("/api/dict/**").hasAnyRole("USER", "ADMIN")
                // 其他文章操作需要认证（POST、PUT、DELETE）
                .antMatchers("/api/articles/**").hasAnyRole("USER", "ADMIN")
                .antMatchers("/api/users/**").hasAnyRole("USER", "ADMIN")
                .anyRequest().authenticated()
            .and()
            .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);

        return http.build();
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
    
}
